Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 7 Security in Networks. Figure 7-1 Simple View of Network.

Published byKristian Williams Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 7 Security in Networks. Figure 7-1 Simple View of Network."— Presentation transcript:

1 Chapter 7 Security in Networks

2 Figure 7-1 Simple View of Network.

3 Terminology Node: single computing system in a network. Link: connection between two hosts. Workstation: end user computing device for a single user. System: collection of processors and a mixture of workstations.

4 More Complex Network

5 Media Cable: ◦ UTP unshielded twisted pair  Cat 5 uses pins 1, 2, 3 & 6.  Cat 6 uses all 4-pairs of wires. Optical: fiber gigabit, 2.5 mile limit. Microwave: line of sight. Infrared: up to 9 miles. ◦ Portable devices.

6 Wireless Media Wireless: interference at the 2.4Ghz range. Wireless 802.11 TypeTop Speed (mbps)Frequency (Ghz) 802.1122.4 802.11a545 802.11b112.4 802.11g542.4 802.11.n144+2.4 & or 5

7 Figure 7-3 Microwave Transmission. Line-of-sight About 30 miles

8 Figure 7-4 Satellite Communication. Geosynchronous orbit.

9 OSI Model Physical Data Link Network Transport Session Presentation Application

10 OSI Layers Application – access to OSI environment and distributed IS Presentation – Hides implementation details of the data Session – controls communication between applications, sets- up/connects/terminates connections Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper Saddle River, NJ: Pearson Prentice Hall.

11 OSI Layers (Cont’d) Transport – reliable communications, end-to-end recovery and flow control Network – isolates upper layers from connectivity details Data Link – controls block transmission (error, flow, synchronization) Physical – unstructured data transmission Source: Stallings, W. (2007). Data and computer communications (8th ed.). Upper Saddle River, NJ: Pearson Prentice Hall.

12 Server Sample Flow Application Presentation Session Transport Network Data Link Physical Data Server Application Presentation Session Transport Network Data Link Physical Data

13 Internet Protocol Stack Transport Physical Data Link Control Network/Internet Transport Application

14 OSI vs. IP Physical Data Link Network Transport Session Presentation Application Physical Data Link Control Network/Internet Transport Application

15 Internet Protocols

16 Protocols at OSI Layers

17 Figure 7-6 Transformation.

18 Figure 7-7 Network Layer Transformation.

19 Figure 7-8 Data Link Layer Transformation.

20 Figure 7-9 Message Prepared for Transmission.

21 Local Area Network LAN Covers a small distance: less than 2 miles, fewer than 100 users. Locally controlled: owned and managed by on site personnel. Physically protected: at the business location. Limited scope: single group, department or activity.

22 Figure 7-10 Typical LAN.

23 Wide Area Network Larger than a LAN in size and distance. Can cover cities, states or countries. Physically exposed: use publically available communications media which is exposed.

24 Wide Area Network

25 Network Vulnerabilities Anonymity: unknown users on the Internet. Many points of attack. Sharing: access to many systems. Complexity: connections between many different types of systems and operating systems. Unknown Perimeter: bridging issues. Participation on the Internet.

26 Figure 7-11 Unclear Network Boundaries.

27 Figure 7-12 Uncertain Message Routing in a Network. Cannot predict path packets will take.

28 Figure 7-13 Path of Microwave Signals.

29 Why Attacks Networks Challenge: prove your skills. Money and espionage: steal trade secrets. Organized Crime: botnets, bank thefts. Cyberterrorism: local and remote. Hacktivism: politically motivated.

30 How to Attack Networks Reconnaissance ◦ Port scans: NMAP, fingerprint hosts, Apps. ◦ Social Engineering: trash, phone, phishing.  Maltego: track a persons connections.  Impersonation: gain physical access. ◦ Intelligence: Media, employee lists.  Way back machine: old web postings. ◦ Online documentation or posting.  Default usernames in applications, etc.

31 Wiretapping / Man in the Middle TEMPEST ◦ all electromagnetic transmissions have emanations. Packet Sniffing: Wireshark ◦ Encrypt transmisisons. Microwave/Satellite: easily accessible. Fiber: quantum cryptography Wireless: firesheep, wardriving.

32 Figure 7-14 Wiretap Vulnerabilities. Exposure points.

33 Figure 7-15 Key Interception by a Man-in-the-Middle Attack. Attacker acts as a proxy. Intercept and change messages. Defense: encryption and endpoint authentication.

34 Figure 7-16 Smurf Attack. Directed broadcast IP addresses. Forged source address. Response traffic larger than query traffic. 1 request = 1 reply per host on a network. Forged source will reply with a reset packet, if the remote IP address exists.

35 Figure 7-17 Three-Way Connection Handshake. Normal connection setup.

36 Figure 7-18 Distributed Denial-of-Service Attack. Multiple (thousands) remote IP addresses attacking a site. Overwhelm servers and networks. Usually the source is a bot network.

37 Figure 7-19 Segmented Architecture. Reduce number of threats and single points of failure. Isolate business functions.

38 Figure 7-20 Link Encryption. Encrypt as you go on the wire.

39 Figure 7-21 Message Under Link Encryption.

40 Figure 7-22 End-to-End Encryption. Encryption performed at highest level.

41 Figure 7-23 End-to-End Encrypted Message.

42 Figure 7-24 Encrypted Message Passing Through a Host. Message protected from disclosure.

43 Figure 7-25 Establishing a Virtual Private Network. Secure authentication, cryptographic hashes for integrity and ciphers for confidentiality.

44 Figure 7-26 VPN to Allow Privileged Access. Virtual dedicated link between entities on a public network.

45 Figure 7-27 Packets: (a) Conventional Packet; (b) IPSec Packet. Encapsulated security payload (ESP) provides authentication, integrity & confidentiality.

46 Figure 7-28 Encapsulated Security Packet.

47 Kerberos Authentication Authentication, Authorization, Accountability (AAA). Use secret key encryption. Provide mutual authentication of clients and servers. Protect against network sniffing and replay attacks.

48 Kerberos Operational Steps 1. Kerberos principle (user’s client) contacts the Key Distribution Center (KDC) to authenticate. 2. KDC sends a session key to the user encrypted with the user’s secret key. 1.KDC sends a Ticket Granting Ticket (TGT) encrypted with Ticket Granting Service’s (TGS) secret key. 3. User’s client decrypts the session key and uses it to request permission to print from the TGS. 4. The TGS verifies user’s session key and sends the user a C/S Client Server session key to use to print. The TGS also sends a service ticket, encrypted with the printers private key. 5. Client connects to printer. Printer sees a valid C/S session key and knows the user has permission to print and knows the user is an authentic user.

49 Figure 7-29 Initiating a Kerberos Session.

50 Figure 7-30 Obtaining a Ticket to Access a File.

51 Figure 7-31 Access to Services and Servers in Kerberos.

52 Firewalls Firewall: permit or deny transmissions between networks based upon a set of rules. Packet Filter Firewall: rule based, stateless, fast. ◦ Each packet must be investigated. Stateful Firewall: tracks active sessions ◦ Maintain state table of sessions ◦ Slower than packet filtering but more secure. Application: works at application layer L7 ◦ inspecting all packets for improper content, can restrict or prevent outright the spread of networked computer worms and trojans.computer wormstrojans Proxy: intercept service requests and make the request on the internal network for external client.

53 Figure 7-32 Layered Network Protection.

54 Figure 7-33 Onion Routing. A has a message for B. Wrap message for B in a package to D. Wrap message for D in a package to C. “Disguise traffic flows”. A sends package to C.

55 Figure 7-34 Packet Filter Blocking Addresses and Protocols. Use a screening router (packet filtering gateway) to block traffic. Simple and sometimes most effective type of firewall.

56 Figure 7-35 Three Connected LANs. One inside network, two outside. Create screening router to only allow traffic between networks.

57 Figure 7-36 Filter Screening Outside Addresses. Packet filter firewall, screen out fake network traffic. Outside is trying to act as coming from internal network.

58 Figure 7-37 Actions of Firewall Proxies. Intercepts service requests and then makes requests internal on behalf of external clients.

59 Figure 7-38 Firewall with Screening Router. Use ACLs to limit traffic.

60 Figure 7-39 Firewall on Separate LAN. Proxy firewall example.

61 Figure 7-40 Firewall with Proxy and Screening Router. Router: ACL Firewall: rules Internal network, IDS, Host-based IDS, honeypot.

62 Figure 7-41 Common Components of an Intrusion Detection Framework.

63 SNORT & Honey Pot IDS Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly- based inspection.Sourcefire Honey Pot ◦ Watch for suspicious traffic. ◦ Learn what attackers are trying to do. ◦ Acts as a diversion and can lure attackers

64 Figure 7-42 Stealth Mode IDS Connected to Two Networks. Use two network interfaces, one to watch network the other for sending alerts. Avoid being knocked off network by DOS attacks.

65 Intrusion Prevention (IPS) Identify malicious activity, log information about activity, attempt to block/stop activity, and report activity. Intrusion prevention systems can be classified into four different types: [6][7] [6][7] ◦ Network-based Intrusion Prevention (NIPS): monitors the entire network for suspicious traffic by analyzing protocol activity. ◦ Wireless Intrusion Prevention Systems (WIPS): monitors a wireless network for suspicious traffic by analyzing wireless networking protocols. ◦ Network Behavior Analysis (NBA): examines network traffic to identify threats that generate unusual traffic flows, such as distributed denial of service (DDoS) attacks, certain forms of malware, and policy violations. ◦ Host-based Intrusion Prevention (HIPS): an installed software package which monitors a single host for suspicious activity by analyzing events occurring within that host.

66 Email Security Pretty Good Privacy ◦ Asymmetric encryption ◦ Confidentiality ◦ Integrity ◦ Authentication ◦ Nonrepudiation ◦ Web of Trust  You trust all the the digital certificates that I trust.

67 Figure 7-43 Overview of Encrypted E-Mail Processing.

68 Figure 7-44 Encrypted E-Mail–Secured Message.

69 Figure 7-45 Encrypted E-Mail Processing in Message Transmission.

Download ppt "Chapter 7 Security in Networks. Figure 7-1 Simple View of Network."

Similar presentations

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.

1 Computer Security Instructor: Dr. Bo Sun. 2 Course Objectives Understand basic issues, concepts, principles, and mechanisms in computer network security.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Lecture 14 Firewalls modified from slides of Lawrie Brown.

Lecture 14 Firewalls modified from slides of Lawrie Brown.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)

2 An Overview of Telecommunications and Networks Telecommunications: the _________ transmission of signals for communications (home net) (home net)
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Similar presentations

Ads by Google